Anthem Breach: Lessons One Year Later

It's been just over a year since health plan Anthem Inc. reported a record-breaking hacker attack affecting nearly 79 million individuals.

A number of key lessons have emerged from that breach that other organizations can apply to improve their own data security. Those lessons include the need to boost education of users about phishing; monitor IT environments and baseline user behavior; keep anti-malware programs up to date; implement two-factor authentication and data loss prevention tools; reassess how much personal information to collect and store; and develop and test an incident response plan.

While the healthcare sector has been the target of several other massive hacker attacks since the Anthem breach was revealed in February 2015, the Anthem incident still tops the Department of Health and Human Services' "wall of shame" website as the largest health data breach reported since HHS began keeping a tally in September 2009.

Phishing for Answers

Anthem said its breach investigation found that credentials of five IT workers had been compromised, likely through a phishing attack. Phishing attacks have been linked to several recent, high-profile hacker breaches impacting other health plans. For example, such an attack is suspected as the possible source of malware used in the breach at Premera Blue Cross, which affected 11 million individuals. Phishing has also led to breaches at healthcare provider organizations, including an incident affecting 307,000 individuals reported last May by South Bend, Ind.-based Beacon Health System.

Certainly, the size of [the Anthem breach] is still staggering," says Rebecca Herold, CEO of The Privacy Professor and co-founder of the consulting firm SIMBUS Security and Privacy Services. "The fact that access was obtained using the credentials of at least five employees points to the very longstanding weak link with information security - ensuring personnel know and understand how to secure the information they have access to and how to recognize phishing attempts."

Organizations need to be far more aggressive in educating their workforce to recognize phishing schemes and implementing technical controls aimed at stopping phishing emails from penetrating their network perimeter, says Tom Walsh, founder of the security consulting firm tw-Security. "It only takes one phishing email to get through the email gateway to cause a great deal of harm to an organization," he says.

"You hear about breaches all the time, and there is typically some element of phishing involved, but are healthcare organizations putting any true effort in training their users to be aware or using technology to alert to phishing emails on a grand scale? I think not," Vinson says. "The indicators of compromise are always present, but we miss them because our heads are in the sand while our behinds are exposed. But that sometimes seems the norm when trying to balance patient safety and security in healthcare."

Mark Dill, principle consultant of tw-Security, and former long-time CISO at the Cleveland Clinic, suggests organizations use simulated phishing attacks to educate users.

"Engage a service provider or acquire a tool that proactively phishes the workforce and educates them immediately upon 'fail,' which means clicking on the email or clicking on the embedded link or opening the attachment," he says. "These services or tools put the end user through a required education/tutorial - if they click - that informs they were phished/tricked and what they should have looked for to avoid being phished."

Anti-Malware and Monitoring

Still, organizations need to take several important steps in case users fall for phishing email scams that contain malicious code or links, Dill stresses.

Those steps, he says, include ensuring that endpoint antivirus agents are up to date and using a different email filter engine than the one supplied by the endpoint anti-malware tool. Dill also suggests ensuring that Web filters are up to date to block any untrusted or new links embedded in the emails.

The Anthem breach also spotlights the need to closely monitor systems and users.

"One huge takeaway from the Anthem breach is that we all truly need to subscribe to continuous monitoring in our environment and understanding user behavior - especially privileged users," Vinson says. "Had there been some targeted monitoring of what the privileged users were doing at Anthem, this suspicious behavior would have possibly been detected much sooner."

Dill also suggests evaluating "user behavior analytics" tools that can highlight user ID and device behaviors that have stepped away from their normal behavior. "That's a possible sign of system compromise via stolen credentials," he says.

In addition, he says it's important to monitor sequential critical database reads, which is a "possible sign of data theft in action - again, behavior that steps away from the norm - no person reads thousands of records sequentially."

The Anthem incident still raises serious questions that other organizations need to consider about access controls, says Herold, the consultant. "If [the Anthem users] didn't fall for social engineering, then did they use such poor passwords that they were easily guessed?" she asks. Two-factor authentication could play a critical role in preventing similar breaches, she stresses.

Once preventive tools are optimized, the focus should be on rolling out "detective tools" such as data loss prevention and security information and event management, or SIEM, tools "and their supporting processes and talent to run them to raise the visibility of attempted and successful malicious activity within your networks," Dill says. "If you cannot afford these tools, consider a managed service to provide them to you without the capital expense."

Collect Less Data?

The scope of records compromised by the Anthem breach highlights the need for organizations to carefully assess the necessity of storing vast amounts of personal information - plus scrutinize who can access it.

Better compliance to HIPAA's "minimum necessary" requirements regarding data use and access might have helped limit the amount of records exposed in the Anthem breach as a result of compromised credentials, Herold says.

"How could five sets of credentials have access to 80 million records?" she asks. "Were these network admins whose accounts were compromised?"

Organizations should limit the amount of Social Security numbers they collect, Walsh says, because they're are so valuable to fraudsters. "However, with the Affordable Care Act, there has been an increase in the collection of SSNs used to verify with the IRS annual earnings if an individual qualifies for government assistance with their insurance premiums," he notes.

Breach Notification Issues

Once Anthem announced the breach on Feb. 4, 2015, several state attorneys general criticized the company for taking too long to notify affected individuals (see AGs: Anthem Breach Notification Too Slow). Under HIPAA, covered entities have 60 days after a breach is discovered to notify individuals. But after the Anthem breach, some state AGs were growing impatient about individuals' notification after less than two weeks.

This is a reminder for organizations to be ready "when the inevitable breach does occur," Walsh says. "Assume that a breach like this will happen in your organization. The FBI has warned that cyberattacks to the healthcare industry will continue to rise."

And Walsh says it's important to consider conducting an internal audit to determine, "have we already been hacked and we didn't even know it?"

Another key step, he says, is the development of an incident response plan that includes creating playbooks, educating the response team and conducting a tabletop drill.

"More attention needs to be given to creating comprehensive incident detection and breach response procedures, with personnel identified and trained to be part of the incident and breach response team," Herold adds. "Organizations cannot simply assign someone to a breach after it happens and then hope that things turn out okay."

Impact on Victims?

Despite the size of the breach, Anthem tells Information Security Media Group that one year later, there are still no signs that the incident has resulted in harm to victims.

"The FBI has been actively investigating this crime since January 2015, and investigators have found no evidence that the cyber attackers have shared or sold any of our members' data. Also, there is no evidence that fraud has occurred against our members, including fraudulent tax returns, as a result of the cyber attack," an Anthem spokeswoman says.

"At Anthem, securing our member, provider and client data is a top priority," she adds. "We maintain a diligent focus on data security and our information security program strives to protect, control and maintain the security of our technology environment."

About the Author

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;